Bug 1582729

Summary:

avc: denied { dac_override } for pid=3429 comm="dovecot"

Product:

[Fedora] Fedora

Reporter:

Matt Kinni <matt>

Component:

dovecot

Assignee:

Michal Hlavinka <mhlavink>

Status:

CLOSED DUPLICATE

QA Contact:

Fedora Extras Quality Assurance <extras-qa>

Severity:

unspecified

Docs Contact:

Priority:

unspecified

Version:

CC:

bennie.joubert, dan, dwalsh, janfrode, jk, lvrabec, matt, mgrepl, mhlavink, plautrba, pmoore, pokorra.mailinglists

Target Milestone:

---

Target Release:

---

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

Fixed In Version:

Doc Type:

If docs needed, set a value

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2018-06-07 08:05:16 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
/etc/dovecot.conf config file	none

Description Matt Kinni 2018-05-26 13:46:13 UTC

Created attachment 1441897 [details]
/etc/dovecot.conf  config file

Description of problem:
Hello,
I have a rather standard dovecot config (attached) that ran fine under F27, but after upgrading to F28 I received an selinux error when starting the service:

----
time->Sat May 26 13:21:20 2018
type=AVC msg=audit(1527340880.376:524): avc:  denied  { dac_override } for  pid=3429 comm="dovecot" capability=1  scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=capability permissive=0
----
time->Sat May 26 13:21:20 2018
type=AVC msg=audit(1527340880.377:525): avc:  denied  { dac_override } for  pid=3429 comm="dovecot" capability=1  scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=capability permissive=0


The corresponding journal entries for dovecot:

May 26 13:21:20 server.com systemd[1]: Starting Dovecot IMAP/POP3 email server...
May 26 13:21:20 server.com dovecot[3429]: Error: bind(/var/spool/postfix/private/dovecot-lmtp) failed: Permission denied
May 26 13:21:20 server.com dovecot[3429]: Error: service(lmtp): net_listen_unix(/var/spool/postfix/private/dovecot-lmtp) failed: Permission denied
May 26 13:21:20 server.com dovecot[3429]: master: Error: bind(/var/spool/postfix/private/dovecot-lmtp) failed: Permission denied
May 26 13:21:20 server.com dovecot[3429]: Error: bind(/var/spool/postfix/private/auth) failed: Permission denied
May 26 13:21:20 server.com dovecot[3429]: Error: service(auth): net_listen_unix(/var/spool/postfix/private/auth) failed: Permission denied
May 26 13:21:20 server.com dovecot[3429]: Fatal: Failed to start listeners
May 26 13:21:20 server.com dovecot[3429]: master: Error: service(lmtp): net_listen_unix(/var/spool/postfix/private/dovecot-lmtp) failed: Permission denied
May 26 13:21:20 server.com dovecot[3429]: master: Error: bind(/var/spool/postfix/private/auth) failed: Permission denied
May 26 13:21:20 server.com dovecot[3429]: master: Error: service(auth): net_listen_unix(/var/spool/postfix/private/auth) failed: Permission denied
May 26 13:21:20 server.com dovecot[3429]: master: Fatal: Failed to start listeners
May 26 13:21:20 server.com systemd[1]: dovecot.service: Control process exited, code=exited status=89
May 26 13:21:20 server.com systemd[1]: dovecot.service: Failed with result 'exit-code'.
May 26 13:21:20 server.com systemd[1]: Failed to start Dovecot IMAP/POP3 email server.


I was able to fix the problem by creating the following selinux module:

-------
module dovecot_selfcapability_dacOverride 1.0;

require {
        type dovecot_t;
        class capability dac_override;
}

#============= dovecot_t ==============
allow dovecot_t self:capability dac_override;
-------


Version-Release number of selected component (if applicable):
selinux-policy-3.14.1-29.fc28.noarch
selinux-policy-targeted-3.14.1-29.fc28.noarch
dovecot-2.2.35-2.fc28.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Try to start dovecot using the default config or the one attached to this report
2.
3.

Actual results:
Selinux error

Expected results:
Service starts

Additional info:

Comment 1 Laurent Jacquot 2018-05-28 18:30:00 UTC

same error here using cyrus

deliver (which is a curys-imap process) cannot connect to /var/lib/imap/socket/lmtp since last update

allowing dac_override fix it (with also pb accessing /proc/<pid> files


Module MyCyrus 1.0;

require {
	type init_t;
	type cyrus_t;
	class capability dac_override;
	class file { open read };
}

#============= cyrus_t ==============
allow cyrus_t init_t:file { open read };
allow cyrus_t self:capability dac_override;

Version-Release number of selected component
selinux-policy-3.14.1-25.fc28.noarch
selinux-policy-targeted-3.14.1-25.fc28.noarch
cyrus-imapd-3.0.5-7.fc28.x86_64

Comment 2 Michal Hlavinka 2018-06-07 08:05:16 UTC


*** This bug has been marked as a duplicate of bug 1578872 ***